{"id":"CURL-CVE-2022-35260","summary":".netrc parser out-of-bounds access","details":"curl can be told to parse a `.netrc` file for credentials. If that file ends\nin a line with consecutive non-white space letters and no newline, curl could\nread past the end of the stack-based buffer, and if the read works, write a\nzero byte possibly beyond its boundary.\n\nThis does in most cases cause a segfault or similar, but circumstances might\nalso cause different outcomes.\n\nIf a malicious user can provide a custom netrc file to an application or\notherwise affect its contents, this flaw could be used as denial-of-service.","aliases":["CVE-2022-35260"],"modified":"2026-05-27T02:29:08.929286Z","published":"2022-10-26T08:00:00Z","database_specific":{"affects":"both","CWE":{"id":"CWE-121","desc":"Stack-based Buffer Overflow"},"www":"https://curl.se/docs/CVE-2022-35260.html","URL":"https://curl.se/docs/CVE-2022-35260.json","package":"curl","severity":"Low","last_affected":"7.85.0","award":{"amount":"480","currency":"USD"},"issue":"https://hackerone.com/reports/1721098"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.84.0"},{"fixed":"7.86.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"eeaae10c0fb27aa066fdc296074edeacfdeb6522"},{"fixed":"c97ec984fb2bc919a3aa863e0476dffa377b184c"}]}],"versions":["7.85.0","7.84.0","curl-7_85_0","curl-7_84_0"],"database_specific":{"vanir_signatures":[{"id":"CURL-CVE-2022-35260-160145d4","target":{"file":"lib/netrc.c"},"source":"https://github.com/curl/curl.git/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c","signature_type":"Line","digest":{"line_hashes":["180427015040107051142020780991285257601","12266610536744085025426950927789246656","239996747545646643857373774366118206214","155731445442491039909521538273623993567","13387141666045107090636801487925201828","236656013171553531523123233181236102705","291370677559807464361649642919627712906","189498903837610303202040316232963631453","336093627987848099735496758689677859858","281586029754934110310274338936161049042","49602197324668631132655678939136460433","147192411820326919159921496268724779251"],"threshold":0.9},"signature_version":"v1","deprecated":false},{"id":"CURL-CVE-2022-35260-42bd6a15","target":{"file":"lib/curl_get_line.c"},"source":"https://github.com/curl/curl.git/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c","signature_type":"Line","digest":{"line_hashes":["270365102834818624247507427346324617966","215529985526274021885683770136614352972","56969867792278034327518773244213351659","40181591141037536283781885935929912616","106575340799568553470923334291638780737","293921489964482779306311867020551921762"],"threshold":0.9},"signature_version":"v1","deprecated":false}],"vanir_signatures_modified":"2026-05-27T02:29:08Z","source":"https://curl.se/docs/CURL-CVE-2022-35260.json"}}],"schema_version":"1.7.5","credits":[{"name":"Hiroki Kurosawa","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}